KPMG’s Scottish cyber and privacy practice director George Scott is highlighting what businesses must do to ensure they don’t fall foul of the new legal framework when the General Data Protection Regulation (GDPR) comes into force a year from today.

“On 25 May 2018, GDPR will affect any organisation in the UK and worldwide which has dealings with consumers and businesses in EU member states. It will fundamentally alter the scale, scope and complexity of the way personal information is processed,” he said.

To avoid issues and subsequent enforcement, including fines of four per cent of global turnover or €20 million – whichever is greater – businesses must raise awareness at board level, conduct a gap analysis to find out where your organisation needs to increase security, and create a plan to minimise risk.

“The regulation will require most organisations to make significant enhancements to their privacy control environment and rethink the way they collect, store, use and disclose personal information.

“These changes are going to be complex and take time, and as such, most organisations cannot afford to wait,” added Scott.

“It’s worrying that with only a year to go, many organisations still have a lot to do. The truth is many businesses do not comprehend the scale of the task and how to deal with it. Unknowns around Brexit also pose uncertainty on what GDPR will mean to the UK, post-Brexit. When it comes to Brexit, it is critical to understand if the UK is going to continue to trade with the EU.”